1. Field of the Invention
The present invention relates to a technology for preventing an unknown worm from spreading using an anti-worm-measure means.
2. Description of the Related Art
In recent years, according to the spread of the Internet, damages caused by worms, which are a kind of computer viruses, frequently occur. The worms not only commit illegal acts like destructive acts but also use security holes of an operation system and the like for wrong purposes to hack into other information processing apparatuses connected by a network and repeat autosynthesis. Therefore, the damages caused by the worms tend to rapidly spread in a wide area.
To prevent the expansion of the damages by the worms, it is effective to install an anti-worm-measure program and monitor packets flowing on the network. Since subspecies and new species of the worms often appear in a short period of time, the anti-worm-measure program is created to detect and block unknown worms in addition to the known worms.
Detection of unknown worms is performed by, for example, monitoring fluctuation in a quantity of flow of a specific kind of packets in network traffic (see, for example, Japanese Patent Application Laid-Open No. 2005-134974). However, a certain degree of period is necessary from the time when a certain sign of communication by an unknown worm is detected in certain communication until the time when it is determined that the communication is communication by the worm and the communication is blocked.
If this period is reduced, it is highly likely that normal communication is detected as communication by an unknown worm by mistake. When such misdetection occurs, it is likely that the normal communication is blocked to hinder business and the like. Thus, usually, parameters for determining the period from the time when a sign of communication by an unknown worm is detected until the time when the communication is blocked are set with emphasis put on prevention of the misdetection.
However, when the parameters are set with emphasis put on prevention of the misdetection, the period until the communication is blocked is prolonged and infection of the worm spreads during the period. Therefore, it is necessary to examine the parameters from the viewpoint of prevention of the infection of the worm.